Clarifying the $25 Million Threshold in the Final CCPA Regulations

CCPA regulations
Print Friendly, PDF & Email

On August 14, 2020, the Office of Administrative Law (“OAL”) approved the California Department of Justice’s final California Consumer Privacy Act (“CCPA”) regulations and filed them with the California Secretary of State. Prior to approval, some businesses were uncertain as to whether the $25 million revenue threshold was related to revenue generated only from California State sales, California residents, or total global revenues. The California Attorney General’s Office has since clarified that limiting the threshold to revenue generated only in California or from California State residents would be inconsistent with the intended broad reach of the CCPA regulations. 

What businesses are regulated by CCPA Regulations?

Businesses Subject to CCPA Enforcement

The CCPA applies to businesses that: 1) do business in the State of California; 2) collect California State resident personal information; and 3) satisfy at least one of the following thresholds:

  • Have annual gross revenue of over $25 million;
  • Buy, receive, sell or share the personal information of 50,000 or more consumers (a “consumer” is defined as a California resident), households or devices for commercial purposes each year; or
  • Derive 50% or more of annual revenue from selling consumer personal information.

Clarifying that annual gross revenue of over $25 million is calculated on total global revenue (regardless of where the revenue is derived from) instead of revenue from California state sales or California residents subjects many more businesses to CCPA enforcement than some had hoped. 

Compliance with CCPA Regulations

Despite the fact that approval of the final CCPA regulations did not occur until August 14, 2020, enforcement of the CCPA began back on July 1, 2020. If they have not already, businesses must take appropriate measures to now comply with the CCPA. Civil penalties range from $2,500 for a non-intentional CCPA violation, to $7,500 for an intentional violation. Additionally, California consumers can bring private rights of action against businesses for data breaches that have exposed non-encrypted and non-redacted personal information to unauthorized third parties.

As readers of this blog know, the privacy-right activist group, Californians for Consumer Privacy, has qualified the California Privacy Rights Act (“CPRA”) (which some are calling CCPA 2.0) for the November 3, 2020 ballot. If this measure were to be written into law, California would move one step closer to implementing a GDPR-like privacy regime. In the interim, data privacy will continue to be a hot-button issue across the country. As such, businesses must be mindful of the ever-moving compliance target or face the regulatory and financial consequences of enforcement. 

If you require assistance with consumer data privacy compliance for your business, please email us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney. 

Attorney Advertising

Photo by Maxim Ilyahov on Unsplash

Related Blog Posts:

CCPA Service Provider Agreements: Accounting for the California Consumer Privacy Act (CCPA)

CCPA Record Keeping Requirements

CCPA Forms: The Right to Opt-Out, Request to Know and Request to Delete

David O. Klein

David O. Klein

David Klein is one of the most recognized attorneys in the telemarketing, technology, Internet marketing, sweepstakes and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Schedule a Call
In The Know

Trending Topics

Creating a Viral and Legally Compliant "Pin to Win" Contest- Klein Moynihan Turco

Creating a Viral (And Legally Compliant) “Pin to Win” Contest

Print Friendly, PDF & Email

We have frequently written about the marketing benefits associated with the use of promotional contests and sweepstakes.  Promotional contests and sweepstakes often appear on social media platforms, which provide companies with a free and effective means to increase the number of consumers participating in their respective contests. While companies must

Facebook Decision defines a TCPA Autodialer- Klein Moynihan Turco LLP

Facebook Aftermath: Courts Clarify Definition of TCPA Autodialer

Print Friendly, PDF & Email

On April 1st, the U.S. Supreme Court released its opinion in Facebook, Inc. v. Duguid, marking a newly clarified definition of “autodialer” within the meaning of the Telephone Consumer Protection Act (“TCPA”). In the two weeks that followed, two federal courts have directly addressed the definition of TCPA autodialer as

Critical Role that TCPA Plays in Outbound Telemarketing- KMT

The Critical Role that the TCPA Plays in Outbound Telemarketing

Print Friendly, PDF & Email

If you’re running any sort of outbound telemarketing campaign – phone calls, voicemail drops, or text messaging – you need to understand the Telephone Consumer Protection Act (TCPA) and its enabling regulations. Call center operators are not the only businesses that employ outbound telemarketing to reach out to consumers. Using

How to Use Promotional Marketing the Legal Way: Klein Moynihan Turco LLP

How To Use Promotional Marketing The Legal Way

Print Friendly, PDF & Email

The use of promotional contests, games and sweepstakes marketing can be a dynamic and cost-effective way to increase sales, build a database of interested consumers and otherwise increase brand awareness and buzz. Consumers are more easily attracted to your marketing message by the opportunity to win prizes than with more

Share on facebook
Share on google
Share on twitter
Share on linkedin